Web tracking giants Facebook and Google don’t consider themselves data-sellers under CCPA
Facebook explicitly refuses to adapt its web-tracking services, Google releases “restricted data processing” setting for publishers but doesn’t curtail Google Analytics data collection practices.
The CCPA defines the term “sale” extensively, and includes the transfer of data for any valuable consideration. Ever since the CCPA was signed into law, players profiting from targeted advertising have been concerned that the transferral of data from a publisher to an advertiser might be considered a “sale” under the new law. On the one hand, the data-transferring party does not directly receive funds in return for the data. On the other hand, the data-transfers enable more targeted advertising on publishers websites and apps, and advertisements are often a publisher’s primary source of revenue.
Categorizing online-ad-improving data-transfers as a sale would have a massive impact, as it would require businesses to include a “Do Not Sell My Personal Information” link on their website, give consumers an easy way to opt-out of these sales, and force businesses to communicate opt-outs to downstream parties. Completely changing the status quo of the existing digital advertising ecosystem.
How Facebook and Google make their money
Facebook and Google are responsible for approximately 90% of the yearly growth of the entire digital advertising industry. 98.5% of Facebook's revenue is made through advertising; for Google it's around 90%. Both Google and Facebook operate “walled gardens,” named for the nature of their data usage: they cultivate data from people’s usage of their platforms (and enrich it with off-site data), and then sell advertising access to people based on their data attributes (but not the data itself, hence the “walled” reference). They hoard vast amounts of user data to allow their business-clients to run very specific and targeted advertising campaigns.
When setting up a campaign under Facebook or Google, businesses define what their maximum ad spend or bid will be, and to what audience they want to show their ad. When choosing an audience, they can define specific age groups, gender, location, interests, keywords and more. Facebook or Google determines the most appropriate ad for each slot via an auction and shows it to consumers matching the audience profile. Both companies might not directly trade personal information for money, but they do sell access to consumers based on data and profit from it massively.
On December 12th, Facebook told advertisers during a private call that it would not make any changes to its common practice of transferring data about consumers, stating that in their view, this is not a “sale” as per CCPA. A spokesperson stated that Facebook operates as a “service provider” to their advertising businesses, with “service provider” being a specific type of actor under CCPA with specific limitations to what it can do with shared (not “sold”) data.
Facebook gives websites a free piece of tech called Pixel. Pixel helps track the activity of site visitors and then sends this information back to Facebook—not the installers of Pixel—and helps Facebook link site visitor information to Facebook profile owners.
According to the spokesperson, businesses are already able to manage whether and how they send information through Pixel, meaning that they have all the tools they need to be able to honor an opt-out of sale request. These tools are similar to Google’s “restricted data processing” setting (described below), although they weren’t specifically introduced in the light of the CCPA.
The issue is that Pixel sends the data it collects back to Facebook, from which they profit hugely as an advertising business. This makes Facebook’s categorization as a CCPA service provider doubtful. Service providers may not use the data they collect or process on behalf of a business for any other purposes than performing the services specified in the contract with that business. It is highly questionable that Facebook’s use of the Pixel-data falls under the purpose of performing the specified service.
Alistair Mctaggert, the real-estate Mogul who was the catalyst for today’s CCPA, strongly opposed Facebook’s stance: “To the extent that the pixel is sending back information to Facebook that Facebook can then access without any restrictions, that absolutely is a sale.”
Facebook is infamous for its poor data handling practices. The company was issued the largest fine in FTC history for its role in the Cambridge Analytica scandal, and was questioned intensely about it’s privacy practices before Congress again this October in the light of it’s launch of the Libra project. Just recently, Facebook settled another privacy lawsuit focused on collection of biometric data for $550 million. It seems that Facebook is setting itself up for more scrutiny, this time under the CCPA.
Early November, Google positioned itself as a company taking CCPA compliance seriously when it launched new features to help their publishers comply with CCPA within Google Ads. The “restricted data processing” setting will limit how Google uses data and signal Google to serve non-personalized ads. Under certain circumstances, Google states that it acts as a service provider when it’s enabled, easing the compliance burden on the publishing business.
However, getting around the CCPA is not that simple for an advertising giant like Google. Just like Facebook, the company collects vast amounts of data through businesses using its tracking tools. Google Analytics is used by 85% of websites worldwide, and thanks to proprietary browser Chrome, with a market share of 64%, Google can easily recognize users across different devices.
Businesses don’t pay for Google Analytics, but the data that Google Analytics collects and analyzes for the business is also used by Google themselves, which indirectly allows them to make a lot of money. A model very similar to the Pixel-model described above, bringing with it the same set of problems.
Google clearly believes they have nothing to worry about, when stating their “ads and data” page that they never sell personal information. Just like Facebook’s statement, this will certainly need to be examined by the California Attorney General in the near future.
Google has launched a toolset for advertisers to be able to signal Google to only serve non-targeted ads, and according to a Facebook’s spokesperson Pixel already offers similar functionality, but those are far from the last words on the matter.
The website tracking practices of both Google and Facebook could still be interpreted as a data sales under the CCPA, despite their perspectives. Categorizing the two ad tech giants as service providers, when they use data collected on behalf of businesses they work with to strengthen their own position in advertising, is certainly a stretch.
The main goal of the ballot initiative, submitted by Californians for Consumer Privacy under Alistair Mactaggert, which became the catalyst for today’s CCPA, was exactly to curtail the data practices of giants like Facebook and Google. It would be disheartening to see these players get away with their actions via a loophole in the CCPA that came into force.
Now that the comment period for the Regulations proposed by California’s Attorney General has ended, the final version of these regulations will follow soon. Many commenters have asked for clarity on the definition of the term “sale” and its meaning for the AdTech industry. If the issue is not clarified there, we will have to wait for the Attorney General enforcements—starting July 1st, 2020 — to see whether the hammer will be brought down.Consumer PrivacyCCPA Data Misuse Deep Dives Ad Tech